Overview#LDAP ping is a Microsoft Active Directory a specific Lightweight Directory Access Protocol (LDAP) or Connection-less Lightweight Directory Access Protocol (CLDAP) search that returns information about whether services are live on a Domain Controller (DC).
As far as we know, this LDAP ping is only used to verify the "Liveness" and Capability Verification of a specific Domain Controller.
This is typically performed by the Local Netlogon service after the Locating the Domain Controller Canidate and the Windows Clients use the logic defined on the for 126.96.36.199 Ping the Candidate Domain Controllers for "Liveness" and Capability Verification Using LDAP Ping Mechanism
(&(DnsDomain=abcde.corp.microsoft.com)(Host=abcdefgh-dev)(User=abcdefgh-dev$)(AAC=\80\00\00\00)(DomainGuid=\3b\b0\21\ca\d3\6d\d1\11\8a\7d\b8\df\b1\56\87\1f)(NtVer=\06\00\00\00))but it appears the Host and DomainGuid are not required.
(&(DnsDomain=EXAMPLE.COM)(NtVer=\06\00\00\02))Returns some value for the Netlogon attribute.
The first 4 bits of the first byte of the NtVer value generates four different replies (\01\00\00\00, \02\00\00\00, \04\00\00\00, \08\00\00\00) but the author of this paragraph has only ever observed a value of \06\00\00\20. The mechanics behind these bits is not known but the structures seem to correspond to Netlogon mailslot operations.
Specifications#Microsoft has specifications available in the MS-ADTS document.
Microsoft Active Directory encodes the results of an LDAP search performed over UDP in the same manner as it does a search performed over TCP.
More specifically, as one or more SearchResultEntry messages followed by a SearchResultDone message, as described in RFC 2251.
This means that the search response is not encoded as described in RFC 1798.
More Information#There might be more information for this subject on one of the following:
- Connection-less Lightweight Directory Access Protocol
- LDAP ping
- Netlogon attribute
- Web Blog_blogentry_190516_1